b"                         National Archives and Records Administration\n                                                                                               8601 Adelphi Road\n                                                                              College Park, Maryland 20740-6001\n\nDate           December 11, 2009\n\nRepJyto        Office of Inspector General (OIG)\nAttn of\n\n\nSubject       Audit Report No. 10-02 Cotton & Company LLP (C&C) Audit of the\n              National Archives and Records Administration FY 2009 Financial Statements\n\nTo        :    David Ferriero, Archivist of the United States (N)\n\n\n               Enclosed for your review are the reports prepared by Cotton & Company, LLP (C&C) for the\n               subject audit. C&C issued an unqualified opinion on NARA's FY 2009 financial statements.\n\n               C&C reported two significant deficiencies in internal control over financial reporting in the\n               areas of Personal Property and Information Technology resulting in 18 recommendations\n               that if implemented, should correct the matters reported. C&C disclosed no material\n               weaknesses and no instances of noncompliance with certain provisions of laws and\n               regulations.\n\n               In connection with the contract, we reviewed C&C' s report and related documentation and\n               inquired of its representatives. Our review, as differentiated from an audit in accordance\n               with U.S. Generally Accepted Government Auditing Standards (GAGAS) was not intended\n               to enable us to express, as we do not express, an opinion on NARA's financial statements\n               or conclusions about the effectiveness of internal control or on whether NARA's financial\n               management system substantially complied with FFMIA; or conclusions with laws and\n               regulations. C&C is responsible for the attached auditor's report dated November 12,2009\n               and the conclusions expressed in the report. However, our review disclosed no instances\n               where C&C did not comply, in all material respects, with GAGAS.\n\n               In accordance with NARA 1201, your written response to each recommendation is due\n               within 45 days. We appreciate the cooperation and assistance NARA extended to C&C\n               and my staff during the audit. If you have any questions, please contact me or James\n               Springs, Assistant Inspector General for Auditing at (301) 837-3000.\n\n\n\n\n       t/:~Y/\n               Paul Brachfeld\n               Inspector General\n\n\n               Enclosure: Cotton & Company's NARA FY 2009 Financial Statements\n                          Independent Audit Report\n\n\n\n                                        National Archives and Records Administration\n\x0c                                     Independent Auditor\xe2\x80\x99s Report\n\n\nThe Inspector General\nNational Archives and Records Administration\n\nWe have audited the accompanying consolidated balance sheet of the National Archives and Records\nAdministration (NARA) as of September 30, 2009, and the related statement of net cost, changes in net\nposition and budgetary resources, for the year then ended (hereinafter collectively referred to as the\n\xe2\x80\x9cfinancial statements\xe2\x80\x9d). These financial statements are the responsibility of NARA\xe2\x80\x99s management. Our\nresponsibility is to express an opinion on these financial statements based upon our audit. The financial\nstatements of NARA, as of September 30, 2008, were audited by other auditors whose report dated\nNovember 12, 2008, expressed an unqualified opinion on those statements.\n\nWe conducted our audit in accordance with auditing standards generally accepted in the United States of\nAmerica; standards applicable to financial statement audits contained in Government Auditing Standards,\nissued by the Comptroller General of the United States; and Office of Management and Budget (OMB)\naudit guidance. Those standards require that we plan and perform the audit to obtain reasonable assurance\nabout whether the financial statements are free of material misstatement. An audit includes examining, on\na test basis, evidence supporting the amounts and disclosures in the financial statements. An audit also\nincludes assessing the accounting principles and significant estimates made by management, as well as\nevaluating the overall financial statements\xe2\x80\x99 presentation. We believe our audit provides a reasonable basis\nfor our opinion.\n\nIn our opinion, the financial statements referred to above, present fairly, in all material respects, the\nfinancial position of NARA as of September 30, 2009, and its net cost, changes in net position, and\nbudgetary resources for the year then ended, in conformity with accounting principles generally accepted\nin the United States of America.\n\nIn accordance with Government Auditing Standards, we have also issued our reports dated November 12,\n2009, on our consideration of NARA\xe2\x80\x99s internal control over financial reporting, and on our tests of\nNARA\xe2\x80\x99s compliance with certain provisions of laws and regulations and other matters. The purpose of\nthose reports is to describe the scope of our testing on internal control over financial reporting and\ncompliance, and the results of that testing, and not to provide an opinion on the internal control over\nfinancial reporting or on compliance. Those reports are an integral part of an audit performed in\naccordance with Government Auditing Standards and should be read in conjunction with this report, in\nconsidering the results of our audit.\n\nThe information in the Management Discussion and Analysis and Required Supplementary Information\nsections is not a required part of the consolidated financial statements, but is supplementary information\nrequired by accounting principles generally accepted in the United States of America. We have applied\ncertain limited procedures, which consisted principally of inquiries of management regarding the methods\nof measurement and presentation of this information. However, we did not audit this information and,\naccordingly, we express no opinion on it.\n\n\n\n\n                                                     1\n\x0cOur audits were conducted for the purpose of forming an opinion on the consolidated financial statements\ntaken as a whole. The information in the Message from the Archivist, Performance Section, and Other\nAccompanying Information is presented for purposes of additional analysis and is not required as part of\nthe consolidated financial statements. This information has not been subjected to auditing procedures\nand, accordingly, we express no opinion on it.\n\nCOTTON & COMPANY LLP\n\nJeffrey A. Long, CPA, CISA, CGFM\nPartner\n\n\n\nNovember 12, 2009\nAlexandria, VA\n\n\n\n\n                                                   2\n\x0c                  Independent Auditor\xe2\x80\x99s Report on Compliance and Other Matters\n\n\nThe Inspector General\nNational Archives and Records Administration\n\nWe have audited the financial statements of the National Archives and Records Administration (NARA)\nas of, and for the year ended September 30, 2009, and have issued our report thereon dated November 12,\n2009. We conducted our audit in accordance with auditing standards generally accepted in the United\nStates of America; the standards applicable to financial audits contained in Government Auditing\nStandards, issued by the Comptroller General of the United States; and Office of Management and\nBudget (OMB) audit guidance.\n\nNARA\xe2\x80\x99s management is responsible for complying with laws and regulations applicable to NARA. As\npart of obtaining reasonable assurance about whether NARA\xe2\x80\x99s financial statements are free of material\nmisstatements, we performed tests of NARA\xe2\x80\x99s compliance with certain provisions of laws and regulations\nthat have a direct and material effect on the financial statements. We did not test compliance with all laws\nand regulations applicable to NARA. We limited our tests of compliance to those provisions of laws and\nregulations required by OMB audit guidance that we deemed applicable to the financial statements, for\nthe fiscal year ended September 30, 2009. We caution that noncompliance may have occurred and may\nnot have been detected by these tests, and that such testing may not be sufficient for other purposes.\n\nThe results of our tests of compliance with laws and regulations described in the preceding paragraph\ndisclosed no instances of material noncompliance that are required to be reported under Government\nAuditing Standards and OMB audit guidance. However, providing an opinion on compliance with certain\nprovisions of laws and regulations was not an objective of our audit, and, accordingly we do not express\nsuch an opinion.\n\nThis report is intended solely for the information and use of management of NARA, NARA Office of\nInspector General, the Government Accountability Office (GAO), OMB, and Congress, and is not\nintended to be and should not be used by anyone other than those specified parties.\n\nCOTTON & COMPANY LLP\n\nJeffrey A. Long, CPA, CISA, CGFM\nPartner\n\n\n\nNovember 12, 2009\nAlexandria, VA\n\n\n\n\n                                                     3\n\x0c                           Independent Auditor\xe2\x80\x99s Report on Internal Control\n\n\nThe Inspector General\nNational Archives and Records Administration\n\nWe have audited the financial statements of the National Archives and Records Administration (NARA)\nas of, and for the year ended September 30, 2009, and have issued our report thereon dated November 12,\n2009. We conducted our audit in accordance with auditing standards generally accepted in the United\nStates of America; the standards applicable to financial audits contained in Government Auditing\nStandards, issued by the Comptroller General of the United States; and Office of Management and\nBudget (OMB) audit guidance.\n\nIn planning and performing our audit, we considered NARA\xe2\x80\x99s internal control over financial reporting by\nobtaining an understanding of the design effectiveness of NARA\xe2\x80\x99s internal control, determining whether\nthese controls had been placed in operation, assessing control risk, and performing tests of the controls in\norder to determine our auditing procedures for the purpose of expressing our opinion on the consolidated\nfinancial statements, and not to provide an opinion on the internal controls. Accordingly, we do not\nexpress an opinion on the effectiveness of NARA\xe2\x80\x99s internal control over financial reporting.\n\nWe limited our internal control testing to those controls necessary to achieve the objectives described in\nOMB audit guidance. We did not test all internal controls relevant to operating objectives, as broadly\ndefined by the Federal Managers' Financial Integrity Act of 1982 (FMFIA), such as those controls\nrelevant to ensuring efficient operations.\n\nA control deficiency exists when the design or operation of a control does not allow management or\nemployees, in the normal course of performing their assigned functions, to prevent or detect\nmisstatements on a timely basis. A significant deficiency is a control deficiency, or combination of\ncontrol deficiencies, that adversely affects NARA\xe2\x80\x99s ability to initiate, authorize, record, process, or report\nfinancial data reliably, in accordance with generally accepted accounting principles, such that there is\nmore than a remote likelihood that a misstatement of NARA\xe2\x80\x99s financial statements that is more than\ninconsequential will not be prevented or detected by NARA\xe2\x80\x99s internal controls.\n\nA material weakness is a significant deficiency, or combination of significant deficiencies, that results in\nmore than a remote likelihood that a material misstatement of the financial statements will not be\nprevented or detected by NARA\xe2\x80\x99s internal controls.\n\nOur consideration of internal controls was for the limited purpose described in the second and third\nparagraphs of this report, and would not necessarily identify all deficiencies in internal control that might\nbe significant deficiencies or material weaknesses.\n\nWe identified two deficiencies in internal control over financial reporting that we consider to be\nsignificant deficiencies. However, we do not believe that the significant deficiencies described below are\nmaterial weaknesses over financial reporting.\n\n                                   *******************************\n\n                                                      4\n\x0cSIGNIFICANT DEFICIENCIES\n\nI. Personal Property\n\nNARA\xe2\x80\x99s processes and internal control procedures used to ensure the proper accountability of personal\nproperty assets and related accounting transactions need improvement. Improvements are needed in the\nfollowing key areas:\n\n    A . Adherence to Policies and Procedures - NARA employees do not always follow operating\n        policies and procedures implemented by the Facilities and Personal Property Management\n        Division (NAF) regarding the accountability of personal property items. Specifically, staff\n        members do not always report or document the acquisition, transfer, or disposition of personal\n        property items.\n\n    B . Personal Property in the Hands of Contractors - NARA does not have policies and procedures\n        in place to ensure the physical accountability of NARA-owned assets that are in the custody of\n        contractors. In addition, NARA property managers do not barcode or inventory personal property\n        used by and in the possession of contractors.\n\n    C . Personal Property Systems - Personal property is tracked in the Personal Property Management\n        System (PPMS), which does not interface with the general ledger. NARA has determined that the\n        cost of integrating PPMS with the general ledger would exceed the benefits; therefore, these two\n        systems will not be integrated. NARA\xe2\x80\x99s Financial Reports Staff (NAX) has been unable to rely\n        on PPMS for certain property accounting functions due to the system\xe2\x80\x99s instability. Instead,\n        personal property transactions (e.g. acquisitions, disposals, and depreciation) are valued on\n        Microsoft Excel spreadsheets using PPMS information and manual processes. These processes\n        are prone to human error and sufficient compensating controls are not in place to provide\n        reasonable assurance that errors will be identified and corrected in a timely manner.\n\nOMB Circular A-123, Management\xe2\x80\x99s Responsibility for Internal Control states:\n\n    It is management\xe2\x80\x99s responsibility to develop and maintain effective internal control\xe2\x80\xa6Agency\n    managers should continuously monitor and improve the effectiveness of internal control\n    associated with their programs.\n\nIn addition, Government Accountability Office\xe2\x80\x99s (GAO) Standards for Internal Control in the Federal\nGovernment states:\n\n    An agency must establish physical control to secure and safeguard vulnerable assets. Examples\n    include security for and limited access to assets such as cash, securities, inventories, and\n    equipment which might be vulnerable to risk of loss or unauthorized use.\n\nFailing to implement adequate processes and internal control procedures over personal property\ntransactions could result in assets being stolen or misplaced and not being detected by management in a\ntimely manner. In addition, personal property related account balances could be misstated because\naccounting personnel are not notified of acquisitions and disposals in a timely manner. The following\nissues were noted when testing personal property transactions as of June 30, 2009.\n\n    1. Stewardship of Accountable Items \xe2\x80\x93 While performing testing of NARA\xe2\x80\x99s internal control over\n       accountable personal property assets, we noted the following issues:\n\n\n\n                                                    5\n\x0c       \xe2\x80\xa2   NARA was unable to locate one asset in our sample, and thus, we could not verify the\n           existence of the item.\n\n       \xe2\x80\xa2   Nine sampled items were recorded as being physically located in Archives II in PPMS, but\n           the results of our audit procedures indicated the items were located at various other NARA\n           field locations.\n\n       \xe2\x80\xa2   Two accountable items were identified at NARA facilities and were not recorded in PPMS.\n\n   2. Account Balance Misstatements - While performing testing of personal property accounting\n      transactions, we noted the following issues:\n\n       \xe2\x80\xa2   NARA improperly recorded disposal transactions for fully depreciated personal property\n           items with a total acquisition cost of roughly $21 million. In FY 2009, NARA recorded\n           disposal transactions for all fully depreciated personal property assets without first verifying\n           the physical status of the asset. These improper entries were subsequently reversed.\n\n       \xe2\x80\xa2   In addition, we noted several insignificant errors in depreciation calculations that were caused\n           by human error.\n\n       Recommendations\n\n       We recommend that NAF should:\n\n       1. Finalize and implement its personal property policies and procedures manual during the first\n          quarter of FY 2010.\n\n       2. Provide personal property-related training to NARA employees.\n\n       3. Design and implement monitoring procedures to ensure NARA employees adhere to personal\n          property-related policies and procedures.\n\n       4. Design and implement procedures to ensure the accountability of assets in the custody of\n          contractors.\n\n       5. Continue to implement personal property accounting functionality within the Maximo\n          system, and in doing so, ensure that the application has adequate functionality to meet the\n          requirements articulated by the Joint Financial Management Improvement Program (JFMIP)\n          in its document titled, Property Management Systems Requirements.\n\n       We recommend that NAX should:\n\n       6. Perform a risk assessment to determine if it has sufficient procedures in place to mitigate\n          risks posed by the manual processes used to account for personal property transactions.\n\n       7. Design and implement controls, as necessary, to address significant risks identified during the\n          risk assessment.\n\nII. Information Technology\n\nDuring FY 2009 NARA continued to make improvements in its information technology (IT) control\nenvironment by addressing recommendations made in previous audits. However, improvements are still\n\n                                                    6\n\x0cneeded in the following IT control areas: access control, segregation of duties, and contingency planning.\nDeficiencies noted in each area are discussed in sections A through C below. The issues discussed below,\ncombined with the open recommendations from the previous fiscal year\xe2\x80\x99s (see Appendix A) financial\nstatement audit, collectively represent a significant deficiency in internal control over financial reporting.\n\nA. Access Controls\n   Access controls provide reasonable assurance that access to computer resources is reasonable and\n   restricted to authorized individuals. NARA access control procedures must be improved in the\n   following areas: account management, exit clearance process and incident response programs.\n   Specific issues identified during testing are discussed below.\n\n    1. Account Management\n       NARA has not implemented sufficient controls to ensure that account management policies and\n       procedures are consistent with National Institute of Standards and Technology (NIST)\n       requirements and industry best practices. Application-specific issues noted during testing are\n       discussed below:\n\n        a) NARANET\n           \xe2\x80\xa2 NARA management relies on the annual security awareness training process to recertify\n             accounts and determine if users still require system access. This process does not ensure\n             that all applicable accounts are removed or disabled in a timely manner because the\n             certification only occurs once per year. Additionally, this process only reviews\n             individuals with login abilities; it does not review accounts that are not assigned to a\n             specific individual (e.g. backup accounts, test accounts, and training accounts).\n\n            \xe2\x80\xa2   Numerous NARANET accounts exist that are used for testing, training, and back-up.\n                The responsibility for managing and determining the ongoing need for these accounts are\n                not associated to a specific individual. Therefore, unnecessary accounts may be still\n                active due to a lack of oversight responsibilities.\n\n            \xe2\x80\xa2   Inactive accounts are not consistently disabled or removed in a timely manner. We noted\n                224 accounts in which the user had either never logged on to NARANET or had not\n                logged on in over a year. In all 224 cases, the accounts were not disabled.\n\n            \xe2\x80\xa2   NARANET\xe2\x80\x99s maximum password age requirement of 365 days is not consistent with\n                NIST and OMB requirements and is not effective for providing adequate protection\n                against unauthorized use. The password age requirement of 365 days was put in place\n                based upon a standard designed for public use systems, NIST Special Publication (SP)\n                800-63 Electronic Authentication Guideline, which is not meant for internal government\n                use systems. In addition, our testing identified 37 active accounts that had not changed\n                their password in over 365 days. These password practices and issues increase the risk\n                that unauthorized users could effectively guess passwords and gain access to NARA\xe2\x80\x99s\n                computing resources.\n\n        b) Records Center Program Billing System (RCPBS)\n           \xe2\x80\xa2  RCPBS does not have configurable lockout policy settings. Also, RCPBS does not have a\n              configurable password policy that requires users to change their password periodically;\n              prohibits the reuse of passwords for a specific length of time; and automatically expiries\n              user passwords.\n\n            \xe2\x80\xa2   Additionally, inactive accounts are not consistently disabled or removed in a timely\n                manner. We identified 34 accounts that were inactive for over 365 days.\n\n                                                      7\n\x0c        c) Personal Property Management System (PPMS):\n\n            Our testing noted that PPMS cannot enforce a configurable password or lockout policy.\n\nNIST SP 800-53, Revision 2: Recommended Security Controls for Federal Information Systems, requires\nthe following:\n\n    AC-2 ACCOUNT MANAGEMENT\n    The organization manages information system accounts, including establishing, activating,\n    modifying, reviewing, disabling, and removing accounts. The organization reviews information\n    system accounts at least annually.\n\n    The organization specifically authorizes and monitors the use of guest/anonymous accounts and\n    removes, disables, or otherwise secures unnecessary accounts. Account managers are notified\n    when information system users are terminated or transferred and associated accounts are\n    removed, disabled, or otherwise secured. Account managers are also notified when users\xe2\x80\x99\n    information system usage or need-to-know/need-to-share changes.\n\n    AC-7 UNSUCCESSFUL LOGIN ATTEMPTS\n    The information system enforces a limit of 5 consecutive invalid access attempts by a user during\n    a 15-minute time period. The information system automatically locks the account until released\n    by an administrator when the maximum number of unsuccessful attempts is exceeded.\n\n    IA-5 AUTHENTICATOR MANAGEMENT\n    The organization manages information system authenticators by: (i) defining initial authenticator\n    content; (ii) establishing administrative procedures for initial authenticator distribution, for\n    lost/compromised, or damaged authenticators, and for revoking authenticators; (iii) changing\n    default authenticators upon information system installation; and (iv) changing/refreshing\n    authenticators periodically.\n\n    For password-based authentication, the information system: (i) protects passwords from\n    unauthorized disclosure and modification when stored and transmitted; (ii) prohibits passwords\n    from being displayed when entered; (iii) enforces password minimum and maximum lifetime\n    restrictions; and (iv) prohibits password reuse for a specified number of generations.\n\nIn addition, the Federal Desktop Core Configuration (FDCC) requires the following:\n\n    MAXIMUM PASSWORD AGE\n    All desktop operating systems in the Federal government are required to meet the minimum\n    security controls defined in the Federal Desktop Core Configuration (FDCC) guidance provided\n    by NIST. This guidance that applies to Windows desktops requires a maximum password age of\n    60 days.\n\nCenter for Internet Security (CIS), Novell eDirectory 8.7, Consensus Baseline, requires the following:\n\n    MAXIMUM PASSWORD AGE\n    The 60 day recommendation from FDCC guidance is also consistent with the Center for Internet\n    Security\xe2\x80\x99s Novell eDirectory 8.7 Consensus Baseline Security, Security Settings Version\n    1document which requires a maximum password age setting of 90 days or less.\n\n\n\n                                                    8\n\x0cWithout proper account management procedures, there is an increased risk that malicious users will be\nable to access NARA systems and resources. Such unauthorized access could result in the loss of data\nconfidentiality, integrity, or availability.\n\n        Recommendations\n\n        We recommend that that the NARA Chief Information Officer (CIO):\n\n        8. Implement a process for managing NARANET accounts that:\n\n            a) Requires a recertification of all system accounts at least annually.\n\n            b) Ensures all accounts are tied to a specific individual who has the responsibility for\n               managing the account, and determining the ongoing need for non-login accounts.\n\n            c) Identifies inactive accounts on a regular basis and removes access in a timely manner.\n\n            d) Ensures all access and privileges of terminated employees are promptly removed.\n\n        9. Implement a more restrictive password age control for NARANET that is consistent with\n           requirements for Federal information systems.\n\n        10. Implement a process for managing RCPBS accounts that:\n\n            a) Requires a recertification of all system accounts at least annually.\n\n            b) Identifies inactive accounts on a regular basis and removes or disables access in a timely\n               manner.\n\n            c) Implements a more restrictive password age control that is consistent with requirements\n               for federal information systems.\n\n        11. Implement compensating logging and monitoring controls for PPMS to ensure that the risk of\n            unauthorized access is mitigated.\n\n    2. Exit Clearance Process\n       NARA has not implemented sufficient controls to ensure that its exit clearance policies and\n       procedures are consistent with NIST requirements. Specific, issues noted during testing were:\n\n        a) NARANET accounts for terminated employees were not consistently disabled or removed in\n           a timely manner. Out of 45 sampled terminated employees, we identified five accounts that\n           were not disabled or removed a month after their effective termination date. Three of these\n           accounts were still active at the time of our testing. In addition, two of the terminated\n           employees had accessed NARANET at least once after their effective termination date.\n\n        b) RCPBS accounts of terminated employees were not consistently disabled or removed in a\n           timely manner. We identified four instances in which terminated employees accounts were\n           not disabled or removed because the IT Helpdesk, or other appropriate personnel, were not\n           notified of their separation.\n\nNIST SP 800-53, Revision 2: Recommended Security Controls for Federal Information Systems, requires\nthe following:\n\n                                                     9\n\x0c    PS-4 PERSONNEL TERMINATION\n    The organization, upon termination of individual employment, terminates information system\n    access, conducts exit interviews, retrieves all organizational information system-related property,\n    and provides appropriate personnel with access to official records created by the terminated\n    employee that are stored on organizational information systems.\n\nAn ineffective exit clearance process increases the risk that disgruntled former employees could use their\ncontinued system access to negatively impact the organization. Such unauthorized access could result in\nthe loss of data confidentiality, integrity, or availability.\n\n        Recommendations\n\n        We recommend that the Office of Policy and Planning Staff (NPOL):\n\n        12. Enforce its current policies and procedures used to manage systems and accounts to ensure all\n            access and privileges of terminated employees are promptly removed.\n\n        13. Ensure that supervisors receive training in their exit clearance process responsibilities,\n            including alerting applicable personnel when employees and contractors under their\n            supervision no longer require access.\n\n    3. Incident-Response Program\n       Currently, NARA\xe2\x80\x99s incident response methodology does not include testing of the incident\n       response plan or NARA-specific training for incident response roles. NARA is currently in the\n       process of finalizing a contract with an independent contractor to provide incident response\n       program support. This support will include an assessment of NARA's incident response program,\n       targeted training to NARA personnel involved with incident response, and a simulation of\n       incident response exercises.\n\nNIST SP 800-53, Revision 2: Recommended Security Controls for Federal Information Systems, requires\nthe following:\n\n    IR-2 INCIDENT RESPONSE TRAINING\n    The organization trains personnel in their incident response roles and responsibilities with\n    respect to the information system and provides refresher training at least annually.\n\n    IR-3 INCIDENT RESPONSE TESTING AND EXERCISES\n    The organization tests and/or exercises the incident response capability for the information\n    system at least annually using organization-defined tests and/or exercises to determine the\n    incident response effectiveness and documents the results.\n\nWithout strong incident response training and testing, NARA cannot ensure that its current incident\nresponse procedures will be handled effectively by those with incident response roles and responsibilities\nor will properly mitigate all detected security incidents.\n\n        Recommendation\n\n        14. We recommend that that the NARA CIO continue its effort to finalize the contract with the\n            independent contractor to provide an assessment of NARA's incident response program,\n            provide targeted training to NARA personnel involved with incident response, and to conduct\n            simulated exercises.\n\n                                                     10\n\x0cB. Segregation of Duties\n   Segregation of duties controls provide reasonable assurance that incompatible duties are effectively\n   segregated. NARA does not have sufficient controls in place to ensure that incompatible roles in\n   RCPBS are not assigned to individual system users. Specifically, when reviewing Webtally (a\n   component system of RCPBS), we found that:\n\n    1. Seventy-seven users were assigned the \xe2\x80\x9cMANAGER\xe2\x80\x9d role in Webtally, and can both enter and\n       approve transactions without the transaction being reviewed by a second party.\n\n    2. Users can be assigned multiple accounts with incompatible roles. For example, individuals with\n       user accounts (e.g. \xe2\x80\x9cACCTREP\xe2\x80\x9d, \xe2\x80\x9cMANAGER\xe2\x80\x9d) can also be given accounts with security\n       administration capabilities (\xe2\x80\x9cADMIN\xe2\x80\x9d). We noted 3 instances in which users were assigned\n       security administration rights in addition to their user rights.\n\nNIST SP 800-53, Revision 2: Recommended Security Controls for Federal Information Systems, states\nthe following:\n\n    AC-5 SEPARATION OF DUTIES\n    The information system enforces separation of duties through assigned access authorizations.\n\n    The organization establishes appropriate divisions of responsibility and separates duties as\n    needed to eliminate conflicts of interest in the responsibilities and duties of individuals. There is\n    access control software on the information system that prevents users from having all of the\n    necessary authority or information access to perform fraudulent activity without collusion.\n    Examples of separation of duties include: (i) mission functions and distinct information system\n    support functions are divided among different individuals/roles; (ii) different individuals perform\n    information system support functions (e.g., system management, systems programming, quality\n    assurance/testing, configuration management, and network security); and (iii) security personnel\n    who administer access control functions do not administer audit functions.\n\nImproper segregation of duties increases the risk of fraudulent acts, which could lead to financial, data\nand service loss, as well as potentially compromise the integrity, confidentiality, and availability of\nRCPBS data.\n\n        Recommendation\n\n        We recommend that the Assistant Archivist for Regional Records Services (NR):\n\n        15. Develop and implement policies and procedures that prohibit RCPBS users from having\n            multiple accounts as well as the ability to enter and approve their own transactions.\n\nC. Contingency Planning\n   Contingency planning helps protect information resources by minimizing the risk of unplanned\n   interruptions and provides for the recovery of critical operations, should interruptions occur. NARA\n   did not have sufficient controls in place to ensure that contingency and disaster recovery plans for\n   financial systems reflected current operating conditions. Specifically, our testing noted that the Order\n   Fulfillment and Accounting (OFAS) contingency plan and the RCPBS disaster recovery plan did not\n   reflect current operating conditions.\n\nNIST SP 800-53, Revision 2: Recommended Security Controls for Federal Information Systems, states\nthe following:\n\n                                                     11\n\x0c   CP-5 CONTINGENCY PLAN UPDATE\n   The organization reviews the contingency plan for the information system at least annually and\n   revises the plan to address system/organizational changes or problems encountered during plan\n   implementation, execution, or testing.\n\nNot having complete and up-to-date disaster recovery and contingency plans for key financial systems\nincreases the risk that NARA would be unable to respond to an emergency situation, which could lead to\nfinancial loss and loss of important data or service(s).\n\n       Recommendations\n\n       We recommend that the NARA CIO:\n\n       16. Fully implement a contingency planning policy that is consistent with guidance provided in\n           NIST SP 800-34, Contingency Planning Guide for Information Technology Systems. The\n           policy should include requirements for updating the contingency plan to reflect current\n           operating conditions.\n\n       We recommend that the Assistant Archivist for Administration (NA):\n\n       17. Update the contingency and disaster recovery plans for OFAS to reflect current operating\n           conditions.\n\n       We recommend that NR:\n\n       18. Update the contingency and disaster recovery plans for RCPBS to reflect current operating\n           conditions.\n\n\n\n\n                                                  12\n\x0cSTATUS OF PRIOR YEAR COMMENTS\n\nWe have reviewed the status of NARA\xe2\x80\x99s corrective actions with respect to the significant deficiency from\nthe previous year\xe2\x80\x99s report on internal control. Details of the status of the recommendations are reported in\nAppendix A to this report.\n\n                                  *******************************\n\nNARA\xe2\x80\x99s management response to the significant deficiencies identified in our report is included as\nAppendix B to this report. We did not audit NARA\xe2\x80\x99s response and, accordingly, we provide no opinion\non it.\n\nIn addition to the significant deficiencies described above, we noted certain matters involving internal\ncontrol and its operation that we reported to NARA management in a separate letter, dated November 12,\n2009.\n\nThis report is intended solely for the information and use of management of NARA, NARA Office of\nInspector General, GAO, OMB, and Congress, and is not intended to be and should not be used by\nanyone other than those specified parties.\n\nCOTTON & COMPANY LLP\n\nJeffrey A. Long, CPA, CISA, CGFM\nPartner\n\n\n\nNovember 12, 2009\nAlexandria, VA\n\n\n\n\n                                                     13\n\x0c                                  Appendix A\n               NATIONAL ARCHIVES AND RECORDS ADMINSTRATION\n            STATUS OF PRIOR YEAR FINDINGS AND RECOMMENDATIONS\n                               September 30, 2009\n\nCondition/Audit    Recommendation               Recommendation                Current\n    Area               Number                                                  Status\n                              Significant Deficiency\nAccess Controls          1          Develop and implement VPN user             Closed\n                                    access recertification procedures to\n                                    require regular user access reviews for\n                                    reasonableness.\n                         2          Revise NARA IT Security                    Closed \xe2\x80\x93\n                                    Requirements to specify a specific time    Revised\n                                    frame (i.e., 24 or 48 hours) in which     during FY\n                                    system access is to be removed upon         2009.\n                                    an employee\xe2\x80\x99s separation of\n                                    employment.\n                         3          Develop and implement Novell               Closed\n                                    administrator user access\n                                    recertification procedures to require\n                                    regular user access reviews for\n                                    reasonableness.\n                         4          Enable Novell audit logging activity       Closed\n                                    for user logins, ACL changes, add\n                                    group member or delete group member\n                                    events in accordance with NARA\n                                    policy.\n                         5          Update attack signatures for NARA          Closed\n                                    NIDS to the most recent version.\n  Entity-Wide            6          Complete risk assessments for all           Open\nSecurity Program                    NARNET components.\n                         7          Finalize and approve security plans for     Open\n                                    all NARANET components.\n                         8          Certify each NARANET component,             Open\n                                    then certify and accredit the entire\n                                    NARANET general support system\n                         9          Implement policies and procedures           Open\n                                    which require the completion of\n                                    security and awareness training before\n                                    being granted access to NARA\n                                    information systems.\n                         10         Complete exit clearance forms (Form        Closed \xe2\x80\x93\n                                    3009) for all separating employees         Revised\n                                    which include formal sign offs by         during FY\n                                    functional managers and maintain these      2009.\n                                    documents in accordance with NARA\n                                    document retention policies.\n                         11         Modify IT security requirements for        Closed\n                                    new hires prior to accessing NARA\n                                    systems which map to interim\n                                    clearance procedures for badge\n                                              14\n\x0c                        issuance.\nContingency Plan   12   Finalize and approve the COOP in      Closed\n                        accordance with HSPD 7, 51, and 20,\n                        FCD 1, and NIST SP 800-34.\n                   13   Finalize and approve the NARANET      Closed\n                        general support system contingency\n                        plan.\n\n\n\n\n                               15\n\x0cNational Archives and Records Administration\nPerformance and Accountability Report, FY 2009\n\nManagement Response to Auditor\xe2\x80\x99s Report (FY 2009)\n\n\n\n\n114                                                 Financial Section\n\x0c"